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DETAILED ACTION 

Response to Amendment 

1 . This action is in response to the amendment filed on September 1 2, 2008. 
Claims 1-71 were originally pending consideration. No claims were cancelled or added. 

2. Claims 1-71 are currently pending consideration. 

Information Disclosure Statement 

3. An initialed and dated copy of Applicant's IDS form 1449, received on 9/17/2008, 
is attached to this Office action. 

Response to Arguments 

Applicant's arguments filed on September 12, 2008 have been fully considered 
but they are not persuasive for the following reasons: 

Regarding claim 1 , the Applicant argues that the "password" of the claim is not 
equivalent to the "word" presented in the Cited Prior Art (CPA). This argument is not 
found persuasive. Kumhyr discloses that a word is checked for format specifications, 
and if the word meets the password specifications, the "password generator sends the 
password to the target applications" (paragraph 0026). Therefore, the word's purpose is 
to be used as a password for a target application, and therefore, it is asserted that the 
"word" is a password, as its purpose is to be used as a password. 
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Furthermore, the Applicant argues that the CPA does not teach "granting a 
different level of access than if the password meets the password criteria." Wood 
teaches a system wherein different levels of access are granted based on the 
authentication information (Wood: column 17, liens 45-60). This authentication 
information can be the composition of the password, and the trust level can be based on 
the strength of the password. Therefore, it is asserted that the CPA does teach 
"granting a different level of access than if the password meets the password criteria." 

Therefore, the rejection for the claims is given below. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-12, 15-31, 34-47, 50-6, and 68-71 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Kumhyr (U.S. Patent Pub. No. US 2004/0250139 A1) in 
view of Wood etal. (U.S. Patent 6,944,761). 

Regarding claim 1, Kumhyr discloses: 

A method of dynamically mitigating a noncompliant password, the method 
comprising the machine-implemented steps of: 
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obtaining a password from a user when the user attempts to access a service 
(paragraph 0026: receives a password); 

determining whether the password meets quality criteria (paragraph 0026: 
checks the password for compliance with format specification); and 

if the password does not meet the quality criteria, performing one or more 
responsive actions that relate to accessing the service (paragraph 0027: wherein if the 
password does not comply, a responsive action is taken). 

Kumhyr does not explicitly disclose granting a first level of access based on a 
first quality criteria, and granting a second level of access based on meeting a second 
level of quality criteria. Wood teaches granting different levels of trust level based on 
the authentication information (passwords) (Wood: column 17, lines 45-60). It would 
have been obvious to use the method of providing different levels of access with 
different passwords to provide an "authentication level commensurate with the 
authentication requirements of at least one of the information resources" (Wood: 
column 4, lines 7-13). 

Claim 2 is rejected as applied above in rejecting claim 1 . Kumhyr does not 
explicitly disclose granting a first level of access based on a first quality criteria, and 
granting a second level of access based on meeting a second level of quality criteria. 
Wood teaches granting different levels of trust level based on the authentication 
information (passwords) (Wood: column 17, lines 45-60). It would have been obvious 
to use the method of providing different levels of access with different passwords to 
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provide an "authentication level commensurate with the authentication requirements of 
at least one of the information resources" (Wood: column 4, lines 7-13). 

Claim 3 is rejected as applied above in rejecting claim 1. Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises performing one or more of: 
logging information related to the password; 
sending a report about the password; 

generating an alert about the password; forcing a password change; or 
blocking the user's access to the service (paragraph 0027: wherein the 
password is adjusted to meet the specifications). 

Claim 4 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the method further comprises, if the password 
does meet the quality criteria, providing user access to the service (paragraph 0026: 
wherein if the password meets the specifications, the password is forwarded to the 
specified application). 

Claim 5 is rejected as applied above in rejecting claim 1. Furthermore, Kumhyr 
discloses: 
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The method of claim 1 , wherein the step of determining whether the password 
meets quality criteria further comprises one or more of the steps of: 

performing a dictionary look-up based on the one or more symbols used in the 
password; 

checking the length of the one or more symbols used in the password; 
checking the number of unique characters of the one or more symbols used in 
the password; 

checking the case of the characters in the one or more symbols used in the 
password; 

checking the sequencing of characters in the one or more symbols used in the 
password; or 

performing statistical analysis based on the one or more symbols used in the 
password (paragraph 0027: wherein the number of characters may be adjusted). 

Claim 6 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises logging information related to the 
password (paragraph 0027). 

Claim 7 is rejected as applied above in rejecting claim 1. Furthermore, Kumhyr 
discloses: 



Application/Control Number: 10/825,827 Page 7 

Art Unit: 2431 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises sending a report about the 
password (paragraph 0027: wherein the password is determined to match up with a 
password format specification). 

Claim 8 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises generating an alert about the 
password (paragraph 0027: wherein the password is determined to match up with a 
password format specification). 

Claim 9 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises forcing a password change 
(paragraph 0027: wherein the password is adjusted to meet the specifications). 

Claim 10 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of performing one or more responsive 
actions that relate to accessing the service comprises blocking the user's access to the 
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service (paragraph 0027: wherein access to the application is not permitted if the 
password does not meet the format specifications). 

Claim 11 is rejected as applied above in rejecting claim 1. Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein obtaining the password from the user comprises 
obtaining the password from the user via a graphical user interface (paragraph 0020: 
receiving a password from a user). 

Claim 12 is rejected as applied above in rejecting claim 1 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein obtaining the password from the user comprises 
obtaining the password from the user via an electronic interface (paragraph 0020: 
receiving a password from a user). 

Claim 15 is rejected as applied above in rejecting claim 1. Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the user is associated with a particular user role, 
and wherein determining whether the password meets quality criteria comprises 
determining whether the password meets quality criteria for the particular user role 
(paragraph 0026: wherein the password is checked for compliance with a format 
specification for a target application (user role)). 
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Claim 16 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein determining whether the password meets quality 
criteria comprises determining whether the password meets quality criteria for the 
service (paragraph 0026: wherein the password is checked for compliance with a 
format specification for a target application). 

Claim 17 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of obtaining the password comprises an 
access service obtaining the password from the user when the user attempts to access 
the service, and wherein the access service comprises machine executable instructions 
executing on a particular machine, and the service comprises machine executable 
instruction executing on the same particular machine (paragraph 0026: wherein the 
password is to access a target application which could be on the same machine or a 
distinct machine). 

Claim 18 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

The method of claim 1 , wherein the step of obtaining the password comprises an 
access service obtaining the password from the user when the user attempts to access 
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the service, and wherein the access service comprises machine executable instructions 
executing on a first machine and the service comprises machine executable instructions 
executing on a second machine, wherein the first machine is distinct from the second 
machine (paragraph 0026: wherein the password is to access a target application 
which could be on the same machine or a distinct machine). 

Regarding claim 19, Kumhyr discloses: 

A method of dynamically mitigating a noncompliant password, the method 
comprising the machine-implemented steps of: 

obtaining a password from a user when the user attempts to access a service 
(paragraph 0026: receives a password); 

determining whether the password meets quality criteria (paragraph 0026: 
checks the password for compliance with format specification); and 

if the password does not meet the quality criteria, performing one or more of: 

forcing a password change (paragraph 0027: wherein the password is adjusted 
to meet the specifications); or 

blocking the user's access to the service; and 

wherein the step of determining whether the password meets quality criteria 
further comprises one or more of the steps of: 

performing a dictionary look-up based on the one or more symbols used in the 
password; 

checking the length of the one or more symbols used in the password; 
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checking the number of unique characters of the one or more symbols used in 
the password; 

checking the case of the characters in the one or more symbols used in the 
password; 

checking the sequencing of characters in the one or more symbols used in the 
password; or 

performing statistical analysis based on the one or more symbols used in the 
password (paragraph 0027: wherein the number of characters may be adjusted). 

Kumhyr does not explicitly disclose granting a first level of access based on a 
first quality criteria, and granting a second level of access based on meeting a second 
level of quality criteria. Wood teaches granting different levels of trust level based on 
the authentication information (passwords) (Wood: column 17, lines 45-60). It would 
have been obvious to use the method of providing different levels of access with 
different passwords to provide an "authentication level commensurate with the 
authentication requirements of at least one of the information resources" (Wood: 
column 4, lines 7-13). 

Regarding claim 20, Kumhyr discloses: 

A machine-readable medium carrying one or more sequences of instructions for 
dynamically mitigating a noncompliant password, which instructions, when executed by 
one or more processors, cause the one or more processors to carry out the steps of: 
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obtaining a password from a user when the user attempts to access a service 
(paragraph 0026: receives a password); 

determining whether the password meets quality criteria (paragraph 0026: 
checks the password for compliance with format specification); and 

if the password does not meet the quality criteria, performing one or more 
responsive actions that relate to accessing the service (paragraph 0027: wherein if the 
password does not comply, a responsive action is taken). 

Kumhyr does not explicitly disclose granting a first level of access based on a 
first quality criteria, and granting a second level of access based on meeting a second 
level of quality criteria. Wood teaches granting different levels of trust level based on 
the authentication information (passwords) (Wood: column 17, lines 45-60). It would 
have been obvious to use the method of providing different levels of access with 
different passwords to provide an "authentication level commensurate with the 
authentication requirements of at least one of the information resources" (Wood: 
column 4, lines 7-13). 

Claim 21 is rejected as applied above in rejecting claim 20. Kumhyr does not explicitly 
disclose granting a first level of access based on a first quality criteria, and granting a 
second level of access based on meeting a second level of quality criteria. Wood 
teaches granting different levels of trust level based on the authentication information 
(passwords) (Wood: column 17, lines 45-60). It would have been obvious to use the 
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method of providing different levels of access with different passwords to provide an 
"authentication level commensurate with the authentication requirements of at least one 
of the information resources" (Wood: column 4, lines 7-13). 

Claim 22 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises performing 
one or more of: 

logging information related to the password; 

sending a report about the password; 

generating an alert about the password; 

forcing a password change; or 

blocking the user's access to the service (paragraph 0027: wherein the 
password is adjusted to meet the specifications). 

Claim 23 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, further comprising instructions which, 
when executed by the one or more processors, cause the one or more processors to 
carry out the step of, if the password does meet the quality criteria, providing user 
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access to the service (paragraph 0026: wherein if the password meets the 
specifications, the password is forwarded to the specified application). 

Claim 24 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of determining 
whether the password meets quality criteria further comprises one or more of the steps 
of: performing 

a dictionary look-up based on the one or more symbols used in the password; 
checking the length of the one or more symbols used in the password; 
checking the number of unique characters of the one or more symbols used in 
the password; 

checking the case of the characters in the one or more symbols used in the 
password; 

checking the sequencing of characters in the one or more symbols used in the 
password; or 

performing statistical analysis based on the one or more symbols used in the 
password (paragraph 0027: wherein the number of characters may be adjusted). 

Claim 25 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 
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The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises logging 
information related to the password (paragraph 0027). 

Claim 26 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises sending a 
report about the password (paragraph 0027: wherein the password is determined to 
match up with a password format specification). 

Claim 27 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises generating an 
alert about the password (paragraph 0027: wherein the password is determined to 
match up with a password format specification). 

Claim 28 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises forcing a 
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password change (paragraph 0027: wherein the password is adjusted to meet the 
specifications). 

Claim 29 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the step of performing one 
or more responsive actions that relate to accessing the service comprises blocking the 
user's access to the service (paragraph 0027: wherein access to the application is not 
permitted if the password does not meet the format specifications). 

Claim 30 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein obtaining the password from 
the user comprises obtaining the password from the user via a graphical user interface 
(paragraph 0020: receiving a password from a user). 

Claim 31 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein obtaining the password from 
the user comprises obtaining the password from the user via an electronic interface 
(paragraph 0020: receiving a password from a user). 
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Claim 34 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein the user is associated with a 
particular user role, and wherein determining whether the password meets quality 
criteria comprises determining whether the password meets quality criteria for the 
particular user role, (paragraph 0026: wherein the password is checked for compliance 
with a format specification for a target application (user role)). 

Claim 35 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, wherein determining whether the 
password meets quality criteria comprises determining whether the password meets 
quality criteria for the service (paragraph 0026: wherein the password is checked for 
compliance with a format specification for a target application). 

Regarding claim 36, Kumhyr discloses: 

An apparatus for dynamically mitigating a noncompliant password, comprising: 
means for obtaining a password from a user when the user attempts to access a 

service (paragraph 0026: receives a password); 

means for determining whether the password meets quality criteria (paragraph 

0026: checks the password for compliance with format specification); and 
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means for performing one or more responsive actions that relate to accessing the 
service if the password does not meet the quality criteria (paragraph 0027: wherein if 
the password does not comply, a responsive action is taken). 

Claim 37 is rejected as applied above in rejecting claim 36. Kumhyr does not explicitly 
disclose granting a first level of access based on a first quality criteria, and granting a 
second level of access based on meeting a second level of quality criteria. Wood 
teaches granting different levels of trust level based on the authentication information 
(passwords) (Wood: column 17, lines 45-60). It would have been obvious to use the 
method of providing different levels of access with different passwords to provide an 
"authentication level commensurate with the authentication requirements of at least one 
of the information resources" (Wood: column 4, lines 7-13). 

Claim 38 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises one or more of: 
means for logging information related to the password; 
means for sending a report about the password; 
means for generating an alert about the password; 
means for forcing a password change; or 
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means for blocking the user's access to the service (paragraph 0027: wherein 
the password is adjusted to meet the specifications). 

Claim 39 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the apparatus further comprises means for 
providing user access to the service if the password does meet the quality criteria 
(paragraph 0026: wherein if the password meets the specifications, the password is 
forwarded to the specified application). 

Claim 40 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for determining whether the 
password meets quality criteria further comprises one or more of: 

means for performing a dictionary look-up based on the one or more symbols 
used in the password; 

means for checking the length of the one or more symbols used in the password; 

means for checking the number of unique characters of the one or more symbols 
used in the password; 

means for checking the case of the characters in the one or more symbols used 
in the password; 
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means for checking the sequencing of characters in the one or more symbols 
used in the password; or 

means for performing statistical analysis based on the one or more symbols used 
in the password (paragraph 0027: wherein the number of characters may be adjusted). 

Claim 41 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises means for logging 
information related to the password (paragraph 0027). 

Claim 42 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises means for sending a 
report about the password (paragraph 0027: wherein the password is determined to 
match up with a password format specification). 

Claim 43 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises means for generating 



Application/Control Number: 10/825,827 Page 21 

Art Unit: 2431 

an alert about the password (paragraph 0027: wherein the password is determined to 
match up with a password format specification). 

Claim 44 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises means for forcing a 
password change (paragraph 0027: wherein the password is adjusted to meet the 
specifications). 

Claim 45 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for performing one or more 
responsive actions that relate to accessing the service comprises means for blocking 
the user's access to the service (paragraph 0027: wherein access to the application is 
not permitted if the password does not meet the format specifications). 

Claim 46 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for obtaining the password from 
the user comprises means for obtaining the password from the user via a graphical user 
interface (paragraph 0020: receiving a password from a user). 
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Claim 47 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for obtaining the password from 
the user comprises means for obtaining the password from the user via an electronic 
interface (paragraph 0020: receiving a password from a user). 

Claim 50 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the user is associated with a particular user 
role, and wherein means for determining whether the password meets quality criteria 
comprises means for determining whether the password meets quality criteria for the 
particular user role (paragraph 0026: wherein the password is checked for compliance 
with a format specification for a target application (user role)). 

Claim 51 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein means for determining whether the password 
meets quality criteria comprises means for determining whether the password meets 
quality criteria for the service (paragraph 0026: wherein if the password meets the 
specifications, the password is forwarded to the specified application). 
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Claim 52 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for obtaining the password 
comprises means for an access service to obtain the password from the user when the 
user attempts to access the service, and wherein the access service comprises means 
for executing on a particular machine, and wherein the service comprises means for 
executing on the same particular machine (paragraph 0026: wherein the password is to 
access a target application which could be on the same machine or a distinct machine). 

Claim 53 is rejected as applied above in rejecting claim 36. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 36, wherein the means for obtaining the password 
comprises means for an access service to obtain the password from the user when the 
user attempts to access the service, and wherein the access service comprises means 
for executing on a first machine and the service comprises means for executing on a 
second machine, wherein the first machine is distinct from the second machine 
(paragraph 0026: wherein the password is to access a target application which could 
be on the same machine or a distinct machine). 

Regarding claim 54, Kumhyr discloses: 

An apparatus for dynamically mitigating a noncompliant password, comprising: 
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a network interface that is coupled to the data network for receiving one or more 
packet flows therefrom (paragraph 0026); 
a processor (paragraph 0026); 

one or more stored sequences of instructions which, when executed by the 
processor, cause the processor to carry out the steps of: 

obtaining a password from a user when the user attempts to access a service 
(paragraph 0026: receives a password); 

determining whether the password meets quality criteria (paragraph 0026: 
checks the password for compliance with format specification); and 

if the password does not meet the quality criteria, performing one or more 
responsive actions that relate to accessing the service (paragraph 0027: wherein if the 
password does not comply, a responsive action is taken). 

Kumhyr does not explicitly disclose granting a first level of access based on a 
first quality criteria, and granting a second level of access based on meeting a second 
level of quality criteria. Wood teaches granting different levels of trust level based on 
the authentication information (passwords) (Wood: column 17, lines 45-60). It would 
have been obvious to use the method of providing different levels of access with 
different passwords to provide an "authentication level commensurate with the 
authentication requirements of at least one of the information resources" (Wood: 
column 4, lines 7-13). 
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Claim 55 is rejected as applied above in rejecting claim 54. Kumhyr does not 
explicitly disclose granting a first level of access based on a first quality criteria, and 
granting a second level of access based on meeting a second level of quality criteria. 
Wood teaches granting different levels of trust level based on the authentication 
information (passwords) (Wood: column 17, lines 45-60). It would have been obvious 
to use the method of providing different levels of access with different passwords to 
provide an "authentication level commensurate with the authentication requirements of 
at least one of the information resources" (Wood: column 4, lines 7-13). 

Claim 56 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises performing one or 
more of: 

logging information related to the password; 
sending a report about the password; 
generating an alert about the password; 
forcing a password change; or 

blocking the user's access to the service (paragraph 0027: wherein the 
password is adjusted to meet the specifications). 
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Claim 57 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the apparatus further comprises one or more 
stored sequences of instructions which, when executed by the processor, cause the 
processor to carry out the step of, if the password does meet the quality criteria, 
providing user access to the service (paragraph 0026: wherein if the password meets 
the specifications, the password is forwarded to the specified application). 

Claim 58 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of determining whether the 
password meets quality criteria comprises one or more of the steps of: 

performing a dictionary look-up based on the one or more symbols used in the 
password; 

checking the length of the one or more symbols used in the password; 
checking the number of unique characters of the one or more symbols used in 
the password; 

checking the case of the characters in the one or more symbols used in the 
password; 

checking the sequencing of characters in the one or more symbols used in the 
password; or 
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performing statistical analysis based on the one or more symbols used in the 
password (paragraph 0027: wherein the number of characters may be adjusted). 

Claim 59 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises logging information 
related to the password (paragraph 0027). 

Claim 60 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises sending a report 
about the password (paragraph 0027: wherein the password is determined to match up 
with a password format specification). 

Claim 61 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises generating an alert 
about the password (paragraph 0027: wherein the password is determined to match up 
with a password format specification). 



Application/Control Number: 10/825,827 
Art Unit: 2431 



Page 28 



Claim 62 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises forcing a password 
change (paragraph 0027: wherein the password is adjusted to meet the specifications). 

Claim 63 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of performing one or more 
responsive actions that relate to accessing the service comprises blocking the user's 
access to the service (paragraph 0027: wherein access to the application is not 
permitted if the password does not meet the format specifications). 

Claim 64 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein obtaining the password from the user 
comprises obtaining the password from the user via a graphical user interface 
(paragraph 0020: receiving a password from a user). 

Claim 65 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 
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The apparatus of claim 54, wherein obtaining the password from the user 
comprises obtaining the password from the user via an electronic interface (paragraph 
0020: receiving a password from a user). 

Claim 68 is rejected as applied above in rejecting 54. Furthermore, Kumhyr discloses: 
The apparatus of claim 54, wherein the user is associated with a particular user 
role, and wherein determining whether the password meets quality criteria comprises 
determining whether the password meets quality criteria for the particular user role 
(paragraph 0026: wherein the password is checked for compliance with a format 
specification for a target application (user role)). 

Claim 69 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein determining whether the password meets 
quality criteria comprises determining whether the password meets quality criteria for 
the service (paragraph 0026: wherein if the password meets the specifications, the 
password is forwarded to the specified application). 

Claim 70 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of obtaining the password comprises 
an access service obtaining the password from the user when the user attempts to 
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access the service, and wherein the access service comprises machine executable 
instructions executing on the apparatus, and the service comprises machine executable 
instruction executing on the same apparatus (paragraph 0026: wherein the password is 
to access a target application which could be on the same machine or a distinct 
machine). 

Claim 71 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, wherein the step of obtaining the password comprises 
an access service obtaining the password from the user when the user attempts to 
access the service, and wherein the access service comprises machine executable 
instructions executing on a first machine and the service comprises machine executable 
instructions executing on a second machine, wherein the first machine is distinct from 
the second machine (paragraph 0026: wherein the password is to access a target 
application which could be on the same machine or a distinct machine). 

Claims 13, 32, 48, and 66 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kumhyr (U.S. Patent Pub. No. US 2004/0250139 A1) in view of 
Hurley (U.S. Patent Pub. US 2004/0250139 A1). 



Claim 13 is rejected as applied above in rejecting claim 1 . Kumhyr does not 
explicitly disclose that a quality score is generated for a password, which is compared to 
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a threshold value. Hurley discloses a system using a quality meter which compares the 
quality of password to the minimum threshold, and if it does not meet it, a message is 
displayed (Hurley: paragraph 0030). Hurley and Kumhyr are analogous arts because 
both have to do with passwords and measuring their quality. It would have been 
obvious to one of ordinary skill in the art to use the quality meter of Hurley in the system 
of Kumhyr to check if a password is vulnerable to cracking and to notify the user on how 
to improve the quality (Hurley: paragraphs 0004-0005). 

Claim 32 is rejected as applied above in rejecting claim 20. Kumhyr does not 
explicitly disclose that a quality score is generated for a password, which is compared to 
a threshold value. Hurley discloses a system using a quality meter which compares the 
quality of password to the minimum threshold, and if it does not meet it, a message is 
displayed (Hurley: paragraph 0030). Hurley and Kumhyr are analogous arts because 
both have to do with passwords and measuring their quality. It would have been 
obvious to one of ordinary skill in the art to use the quality meter of Hurley in the system 
of Kumhyr to check if a password is vulnerable to cracking and to notify the user on how 
to improve the quality (Hurley: paragraphs 0004-0005). 

Claim 48 is rejected as applied above in rejecting claim 36. Kumhyr does not 
explicitly disclose that a quality score is generated for a password, which is compared to 
a threshold value. Hurley discloses a system using a quality meter which compares the 
quality of password to the minimum threshold, and if it does not meet it, a message is 
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displayed (Hurley: paragraph 0030). Hurley and Kumhyr are analogous arts because 
both have to do with passwords and measuring their quality. It would have been 
obvious to one of ordinary skill in the art to use the quality meter of Hurley in the system 
of Kumhyr to check if a password is vulnerable to cracking and to notify the user on how 
to improve the quality (Hurley: paragraphs 0004-0005). 

Claim 66 is rejected as applied above in rejecting claim 54. Kumhyr does not 
explicitly disclose that a quality score is generated for a password, which is compared to 
a threshold value. Hurley discloses a system using a quality meter which compares the 
quality of password to the minimum threshold, and if it does not meet it, a message is 
displayed (Hurley: paragraph 0030). Hurley and Kumhyr are analogous arts because 
both have to do with passwords and measuring their quality. It would have been 
obvious to one of ordinary skill in the art to use the quality meter of Hurley in the system 
of Kumhyr to check if a password is vulnerable to cracking and to notify the user on how 
to improve the quality (Hurley: paragraphs 0004-0005). 

Claims 14, 33, and 67 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kumhyr (U.S. Patent Pub. No. US 2004/0250139 A1) in view of 
Casco-Arias et al. (U.S. Patent Pub. No. US 2004/0250141 A1). 
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Claim 14 is rejected as applied above in rejecting claim 1 . Furthermore, Kumhyr 
discloses: 

making a first determination whether the password meets quality criteria 
(paragraph 0026: wherein if the password meets the specifications, the password is 
forwarded to the specified application); 

storing in a particular machine-readable medium an indication of the first 
determination of the password (paragraph 0026: wherein if the password meets the 
specifications, the password is forwarded to the specified application (machine))) 

wherein the step of determining whether the password meets quality criteria 
comprises accessing the particular machine-readable medium ((paragraph 0026: 
wherein if the password meets the specifications, the password is forwarded to the 
specified application). 

Kumhyr does not explicitly disclose obtaining a password from a repository of 
passwords. Casco-Arias teaches a password repository to store passwords (Casco- 
Arias: paragraph 0019). The password repository of Casco-Arias could be used with 
the system of Kumhyr to store passwords which are generated. It would have been 
obvious to use the password repository of Casco-Arias in the system of Kumhyr so that 
"passwords may be centrally managed according to shared password policies" which 
can provide "more uniform levels of password strength among the data processing 
systems and may allow a user to request and/or change passwords in a more 
consistent manner" (Casco-Arias: paragraph 0007). 
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Claim 33 is rejected as applied above in rejecting claim 20. Furthermore, Kumhyr 
discloses: 

The machine-readable medium of claim 20, further comprising instructions which, 
when executed by the one or more processors, cause the one or more processors to 
carry out the steps of: 

making a first determination whether the password meets quality criteria 
(paragraph 0026: wherein if the password meets the specifications, the password is 
forwarded to the specified application); 

storing in a particular machine-readable medium an indication of the first 
determination of the password (paragraph 0026: wherein if the password meets the 
specifications, the password is forwarded to the specified application (machine))) 

wherein the step of determining whether the password meets quality criteria 
comprises accessing the particular machine-readable medium ((paragraph 0026: 
wherein if the password meets the specifications, the password is forwarded to the 
specified application). 

Kumhyr does not explicitly disclose obtaining a password from a repository of 
passwords. Casco-Arias teaches a password repository to store passwords (Casco- 
Arias: paragraph 0019). The password repository of Casco-Arias could be used with 
the system of Kumhyr to store passwords which are generated. It would have been 
obvious to use the password repository of Casco-Arias in the system of Kumhyr so that 
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"passwords may be centrally managed according to shared password policies" which 
can provide "more uniform levels of password strength among the data processing 
systems and may allow a user to request and/or change passwords in a more 
consistent manner" (Casco-Arias: paragraph 0007). 

Claim 67 is rejected as applied above in rejecting claim 54. Furthermore, Kumhyr 
discloses: 

The apparatus of claim 54, further comprising one or more stored sequences of 
instructions which, when executed by the processor, cause the processor to carry out 
the steps of: 

making a first determination whether the password meets quality criteria 
(paragraph 0026: wherein if the password meets the specifications, the password is 
forwarded to the specified application); 

storing in a particular machine-readable medium an indication of the first 
determination of the password (paragraph 0026: wherein if the password meets the 
specifications, the password is forwarded to the specified application (machine))) 

wherein the step of determining whether the password meets quality criteria 
comprises accessing the particular machine-readable medium ((paragraph 0026: 
wherein if the password meets the specifications, the password is forwarded to the 
specified application). 
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Kumhyr does not explicitly disclose obtaining a password from a repository of 
passwords. Casco-Arias teaches a password repository to store passwords (Casco- 
Arias: paragraph 0019). The password repository of Casco-Arias could be used with 
the system of Kumhyr to store passwords which are generated. It would have been 
obvious to use the password repository of Casco-Arias in the system of Kumhyr so that 
"passwords may be centrally managed according to shared password policies" which 
can provide "more uniform levels of password strength among the data processing 
systems and may allow a user to request and/or change passwords in a more 
consistent manner" (Casco-Arias: paragraph 0007). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is 
(571)272-3786. The examiner can normally be reached on Monday thru Friday 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Kaveh Abrishamkar/ 
Primary Examiner, Art Unit 2431 
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01/04/2009 
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